def on_response(self, response: IpcView, output: Any) -> None:
output.send(
ExecutionHit(
analyzer_name="SSH IPC",
node_view=response,
risk_score=75,
))
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Browser Created File",
node_view=response,
risk_score=5,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
rare_read_file = False
for read_file in response.get_read_files():
count = self.counter.get_count_for(
ProcessQuery().with_process_name(eq="osascript")
.with_read_files(
FileQuery().with_file_path(read_file.get_file_path())
)
)
if count < 4:
rare_read_file = True
break
if rare_read_file:
output.send(
ExecutionHit(
analyzer_name="Osascript Process Execution - Rare File Read",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Cmd Child Network",
node_view=response,
risk_score=5,
))
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378",
node_view=response,
risk_score=50,
))
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Common Target Application With Child Process",
node_view=response,
risk_score=75,
))
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Suspicious svchost",
node_view=response,
risk_score=75,
))
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Powershell With Child Process",
node_view=response,
risk_score=25,
))
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Process Deletes Binary File",
node_view=response,
risk_score=20,
)
)
def on_response(self, response: ProcessView, output: Any):
print(f'Unpacked process: {response.get_process_name()}')
output.send(
ExecutionHit(
analyzer_name="Process Executing From Unpacked File",
node_view=response,
risk_score=15,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(analyzer_name="Cmd Child Network",
node_view=response,
risk_score=5,
lenses=asset_id))
def on_response(self, response: ProcessView, output: Any):
output.send(
ExecutionHit(
analyzer_name="Python Process With Many Shells",
node_view=response,
risk_score=5,
)
)
def on_response(self, response: ProcessView, output: Any):
hostname = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name='CmdChildOfDns',
node_view=response,
risk_score=100,
lenses=[('hostname', hostname)],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Python Process With Many Shells",
node_view=response,
risk_score=5,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Suspicious svchost",
node_view=response,
risk_score=75,
lenses=[("hostname", asset_id)],
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Process Deletes Binary File",
node_view=response,
risk_score=20,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Common Target Application With Child Process",
node_view=response,
risk_score=75,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Powershell With Child Process",
node_view=response,
risk_score=25,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378",
node_view=response,
risk_score=50,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="Browser Created File",
node_view=response,
risk_score=5,
lenses=asset_id,
)
)
def on_response(self, response: IpcView, output: Any) -> None:
asset_id = response.get_ipc_creator().get_asset().get_hostname()
output.send(
ExecutionHit(
analyzer_name="SSH IPC",
node_view=response,
risk_score=75,
lenses=asset_id,
)
)
def on_response(self, response: GuardDutyFindingView, output: Any):
account_id = response.get_account_id()
output.send(
ExecutionHit(
analyzer_name="GuardDuty Finding",
node_view=response,
risk_score=75,
lenses=account_id,
)
)
def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=response.get_parent().get_process_name(),
child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of SSH",
node_view=response,
risk_score=5,
))
def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=response.get_process_name(),
child_process_name="cmd.exe",
)
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of cmd.exe",
node_view=response,
risk_score=5,
)
)
def on_response(self, child: ProcessView, output: Any):
parent = child.get_parent()
child_user_id = get_user_id(child)
parent_user_id = get_user_id(parent)
if child_user_id != parent_user_id:
output.send(
ExecutionHit(
analyzer_name="Parent Child User Mismatch",
node_view=child,
risk_score=25,
))
def on_response(self, response: ProcessView, output: Any):
count = self.counter.get_count_for(
parent_process_name=output.get_parent().get_process_name(),
child_process_name=output.get_process_name(),
)
if count <= 2:
output.send(
ExecutionHit(
analyzer_name="Unique Windows Builtin Execution",
node_view=response,
risk_score=15,
)
)
def on_response(self, response: ProcessView, output: Any) -> None:
count = self.counter.get_count_for(
parent_process_name=response.get_process_name(),
child_process_name="cmd.exe",
)
asset_id = response.get_asset().get_hostname()
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare Parent of cmd.exe",
node_view=response,
risk_score=10,
lenses=[("hostname", asset_id)],
))
def on_response(self, response: IpcView, output: Any):
print(f'Received suspicious IPC view: {response.node_key}')
src_uids, src_auids = get_uid_auid_lineage(response.get_ipc_creator())
tgt_uids, tgt_auids = get_uid_auid_lineage(response.get_ipc_recipient())
user_mismatch = (src_uids.issuperset(tgt_uids) or src_uids.issubset(tgt_uids))
auid_mismatch = (src_auids.issuperset(tgt_auids) or src_auids.issubset(tgt_auids))
if user_mismatch or auid_mismatch:
output.send(
ExecutionHit(
analyzer_name="Ssh Agent Access: UID or AUID mismatch in lineage",
node_view=response,
risk_score=100,
)
)
def on_response(self, response: IpcView, output: Any):
print(f'Received suspicious IPC view: {response.node_key}')
asset_id = response.get_ipc_creator().get_asset().get_hostname()
ipc_creator = response.get_ipc_creator()
ssh_agent = response.get_ipc_recipient()
user_mismatch = get_user_id(ipc_creator) != get_user_id(ssh_agent)
auid_mismatch = get_auid(ipc_creator) != get_auid(ssh_agent)
if user_mismatch or auid_mismatch:
output.send(
ExecutionHit(
analyzer_name="Ssh Agent Access: UID or AUID mismatch",
node_view=response,
risk_score=100,
lenses=asset_id,
))
def on_response(self, response: ProcessView, output: Any):
asset_id = response.get_asset().get_hostname()
count = self.counter.get_count_for(
grand_parent_process_name=response.get_parent().get_parent().
get_process_name(),
grand_child_process_name=response.get_process_name(),
)
print(f'Counted {count} for parent -> ssh')
if count <= 3:
output.send(
ExecutionHit(
analyzer_name="Rare GrandParent of SSH",
node_view=response,
risk_score=5,
lenses=asset_id,
))
